diff --git a/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch b/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch
new file mode 100644
index 0000000..527067e
--- /dev/null
+++ b/SOURCES/0040-AD-Enforcing-GPO-rule-restriction-on-user.patch
@@ -0,0 +1,42 @@
+From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
+Date: Thu, 28 May 2020 12:12:58 +0200
+Subject: [PATCH] AD: Enforcing GPO rule restriction on user
+
+This fixes bug related to ad_gpo_implicit_deny option set to True.
+gpo_implict_denay was checked only for dacl_filtered_gpos,
+but not for cse_filtered_gpos.
+
+Resolves:
+https://github.com/SSSD/sssd/issues/5181
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/providers/ad/ad_gpo.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index 53560a754..2c6aa7fa6 100644
+--- a/src/providers/ad/ad_gpo.c
++++ b/src/providers/ad/ad_gpo.c
+@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
+ /* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "no applicable gpos found after cse_guid filtering\n");
+- ret = EOK;
++
++ if (state->gpo_implicit_deny == true) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "No applicable GPOs have been found and ad_gpo_implicit_deny"
++ " is set to 'true'. The user will be denied access.\n");
++ ret = ERR_ACCESS_DENIED;
++ } else {
++ ret = EOK;
++ }
++
+ goto done;
+ }
+
+--
+2.21.3
+
diff --git a/SOURCES/0041-man-clarify-AD-certificate-rule.patch b/SOURCES/0041-man-clarify-AD-certificate-rule.patch
new file mode 100644
index 0000000..a54281a
--- /dev/null
+++ b/SOURCES/0041-man-clarify-AD-certificate-rule.patch
@@ -0,0 +1,33 @@
+From 3bb910503bb7cbc20105f0a302db400f04436d2a Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Tue, 18 Aug 2020 11:45:18 +0200
+Subject: [PATCH] man: clarify AD certificate rule
+
+Clarify AD specific certificate rule example by changing userPrincipal to
+userPrincipalName. Moreover, match the subject principal name in the
+example with the rule name.
+
+Resolves:
+https://github.com/SSSD/sssd/issues/5278
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/man/sss-certmap.5.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml
+index 10343625e..09aec997c 100644
+--- a/src/man/sss-certmap.5.xml
++++ b/src/man/sss-certmap.5.xml
+@@ -487,7 +487,7 @@
+ sign.
+ </para>
+ <para>
+- Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
++ Example: (|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))
+ </para>
+ </listitem>
+ </varlistentry>
+--
+2.21.3
+
diff --git a/SOURCES/0042-config-allow-prompting-options-in-configuration.patch b/SOURCES/0042-config-allow-prompting-options-in-configuration.patch
new file mode 100644
index 0000000..20e4c7e
--- /dev/null
+++ b/SOURCES/0042-config-allow-prompting-options-in-configuration.patch
@@ -0,0 +1,72 @@
+From 4526858adb58736066a0b2cf2dc793ddfe671b2b Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Tue, 4 Aug 2020 15:39:51 +0200
+Subject: [PATCH] config: allow prompting options in configuration
+
+False warnings were logged after enabling prompting options in
+configuration file. This change modifies the configuration rules to
+allow prompting options.
+
+Resolves:
+https://github.com/SSSD/sssd/issues/5259
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/config/cfg_rules.ini | 34 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
+index 2874ea048..2d4e7b51d 100644
+--- a/src/config/cfg_rules.ini
++++ b/src/config/cfg_rules.ini
+@@ -14,6 +14,10 @@ section = session_recording
+ section_re = ^secrets/users/[0-9]\+$
+ section_re = ^secrets/secrets$
+ section_re = ^secrets/kcm$
++section_re = ^prompting/password$
++section_re = ^prompting/password/[^/\@]\+$
++section_re = ^prompting/2fa$
++section_re = ^prompting/2fa/[^/\@]\+$
+ section_re = ^domain/[^/\@]\+$
+ section_re = ^domain/[^/\@]\+/[^/\@]\+$
+ section_re = ^application/[^/\@]\+$
+@@ -332,6 +336,36 @@ option = scope
+ option = users
+ option = groups
+
++# Prompting during authentication
++[rule/allowed_prompting_password_options]
++validator = ini_allowed_options
++section_re = ^prompting/password$
++
++option = password_prompt
++
++[rule/allowed_prompting_2fa_options]
++validator = ini_allowed_options
++section_re = ^prompting/2fa$
++
++option = single_prompt
++option = first_prompt
++option = second_prompt
++
++[rule/allowed_prompting_password_subsec_options]
++validator = ini_allowed_options
++section_re = ^prompting/password/[^/\@]\+$
++
++option = password_prompt
++
++[rule/allowed_prompting_2fa_subsec_options]
++validator = ini_allowed_options
++section_re = ^prompting/2fa/[^/\@]\+$
++
++option = single_prompt
++option = first_prompt
++option = second_prompt
++
++
+ [rule/allowed_domain_options]
+ validator = ini_allowed_options
+ section_re = ^\(domain\|application\)/[^/]\+$
+--
+2.21.3
+
diff --git a/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch b/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch
new file mode 100644
index 0000000..95cac65
--- /dev/null
+++ b/SOURCES/0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch
@@ -0,0 +1,77 @@
+From 10366b4ee8c01ea20d908102e92d52fdeda168c3 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Tue, 18 Aug 2020 14:37:04 +0200
+Subject: [PATCH] p11_child: switch default ocsp_dgst to sha1
+
+For details please see discussion at
+https://github.com/SSSD/sssd/pull/837#issuecomment-672831519
+
+:newdefault: sssd:certificate_verification:ocsp_dgst, sha256, sha1
+
+Resolves:
+https://github.com/SSSD/sssd/issues/5002
+
+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/man/sssd.conf.5.xml | 3 ++-
+ src/p11_child/p11_child_common_utils.c | 6 +++---
+ src/p11_child/p11_child_openssl.c | 4 ++--
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index 874a09c49..50692dfdd 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -507,7 +507,8 @@
+ <listitem><para>sha512</para></listitem>
+ </itemizedlist></para>
+ <para>
+- Default: sha256
++ Default: sha1 (to allow compatibility with
++ RFC5019-compliant responder)
+ </para>
+ <para>(NSS Version) This option is
+ ignored, because NSS uses sha1
+diff --git a/src/p11_child/p11_child_common_utils.c b/src/p11_child/p11_child_common_utils.c
+index 6798752c7..95791b1f0 100644
+--- a/src/p11_child/p11_child_common_utils.c
++++ b/src/p11_child/p11_child_common_utils.c
+@@ -43,7 +43,7 @@ static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx)
+ cert_verify_opts->ocsp_default_responder = NULL;
+ cert_verify_opts->ocsp_default_responder_signing_cert = NULL;
+ cert_verify_opts->crl_file = NULL;
+- cert_verify_opts->ocsp_dgst = CKM_SHA256;
++ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
+ cert_verify_opts->soft_ocsp = false;
+ cert_verify_opts->soft_crl = false;
+
+@@ -174,8 +174,8 @@ errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts,
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Unsupported digest for OCSP [%s], "
+- "using default sha256.\n", &opts[c][OCSP_DGST_LEN]);
+- cert_verify_opts->ocsp_dgst = CKM_SHA256;
++ "using default sha1.\n", &opts[c][OCSP_DGST_LEN]);
++ cert_verify_opts->ocsp_dgst = CKM_SHA_1;
+ }
+ #endif
+ } else if (strcasecmp(opts[c], "soft_ocsp") == 0) {
+diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
+index 321cf162e..04b3e1467 100644
+--- a/src/p11_child/p11_child_openssl.c
++++ b/src/p11_child/p11_child_openssl.c
+@@ -372,8 +372,8 @@ static errno_t do_ocsp(struct p11_ctx *p11_ctx, X509 *cert)
+ ocsp_dgst = get_dgst(p11_ctx->cert_verify_opts->ocsp_dgst);
+ if (ocsp_dgst == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot determine configured digest function "
+- "for OCSP, using default sha256.\n");
+- ocsp_dgst = EVP_sha256();
++ "for OCSP, using default sha1.\n");
++ ocsp_dgst = EVP_sha1();
+ }
+ cid = OCSP_cert_to_id(ocsp_dgst, cert, issuer);
+ if (cid == NULL) {
+--
+2.21.3
+
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 52cfcd4..afe21c4 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -26,7 +26,7 @@
Name: sssd
Version: 2.3.0
-Release: 7%{?dist}
+Release: 8%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -73,6 +73,10 @@ Patch0036: 0036-TRANSLATIONS-updated-translations-to-include-new-sou.patch
Patch0037: 0037-Updated-translation-files-Japanese-Chinese-China-Fre.patch
Patch0038: 0038-sssctl-sssctl-config-check-alternative-snippet-dir.patch
Patch0039: 0039-certmap-sanitize-LDAP-search-filter.patch
+Patch0040: 0040-AD-Enforcing-GPO-rule-restriction-on-user.patch
+Patch0041: 0041-man-clarify-AD-certificate-rule.patch
+Patch0042: 0042-config-allow-prompting-options-in-configuration.patch
+Patch0043: 0043-p11_child-switch-default-ocsp_dgst-to-sha1.patch
### Downstream Patches ###
@@ -1245,6 +1249,12 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
+* Fri Aug 21 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.3.0-8
+- Resolves: rhbz#1868387 - system not enforcing GPO rule restriction. ad_gpo_implicit_deny = True is not working
+- Resolves: rhbz#1854951 - sss-certmap man page change to add clarification for userPrincipalName attribute from AD schema
+- Resolves: rhbz#1856861 - False errors/warnings are logged in sssd.log file after enabling 2FA prompting settings in sssd.conf
+- Resolves: rhbz#1869683 - p11_child: default value of ocsp_dgst == sha256 doesn't conform RFC5019 and has to be changed to sha1
+
* Fri Aug 07 2020 Alexey Tikhonov <atikhono@redhat.com> - 2.3.0-7
- Resolves: rhbz#1723273 - RFE: Add option to specify alternate sssd config file location with "sssctl config-check" command.
- Resolves: rhbz#1780404 - smartcards: special characters must be escaped when building search filter